registry  /  nottuff15  /  1.7.7

nottuff15@1.7.7

OSV Malicious Advisory

scanned 13d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5914 confirms this npm version as malicious. nottuff15 is one entry in a coordinated npm namespace-spam campaign. The tarball ships auto-publish.sh, a bash script that copies the package contents into ~95 differently-named tarballs (imillegal*, ishowfeet*, nottuff1..30, abuden*, ratelimitsucks*) and force-publishes each via `npm publish`; the package's own name 'nottuff15' appears in that list, confirming this release is generator output...

Advisory
MAL-2026-5914
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nottuff15 (npm)
Details
nottuff15 is one entry in a coordinated npm namespace-spam campaign. The tarball ships auto-publish.sh, a bash script that copies the package contents into ~95 differently-named tarballs (imillegal*, ishowfeet*, nottuff1..30, abuden*, ratelimitsucks*) and force-publishes each via `npm publish`; the package's own name 'nottuff15' appears in that list, confirming this release is generator output. Package metadata is placeholder (description: "package", empty author). The actual payload is a bundled SPA + ServiceWorker web-proxy (Scramjet) plus a 5.4MB WASM-curl bundle in j3ve9/ls3ez.mjs, distributed via npm but intended to be hosted as a static site — npm is being abused as a static-asset CDN. The package's main entry (sw.js) calls importScripts() on its first line, which is a browser ServiceWorker global undefined in Node, so `require('nottuff15')` throws a ReferenceError immediately — there is no functioning library here. The bundled index.html registers click/keydown/touchstart listeners that redirect users to https://abdct.com/ on first interaction (rate-limited via localStorage), and loads a remote script from https://cdn.21baseballacademy.com/script/jrqK2HPsliMjRW5Q.js — browser-side affiliate-redirect infrastructure under a tutoring-themed cover page. Twelve of the bundled JS assets are heavily obfuscated. No preinstall/install/postinstall/prepare hooks are declared, so there is no install-time auto-execution against the installer. ## Source: ghsa-malware (64eb7517cdbed2e5254d6f5e519bf73a07bc5d50b5346c6a92fa36d5b73544e4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms nottuff15@1.7.7 as malicious (MAL-2026-5914): Malicious code in nottuff15 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory